Category Archives: Security

Enabling Bitlocker with MDT

Enabling Bitlocker with MDT 2010.

Bitlocker

Bitlocker is a password centered disk encryption system built into Windows which encrypts your volumes and server platforms.

The Basic Process:

1. Deploy MDT, build your deployment task sequence, and include Enable Bitlocker.

2. Configure Customsettings.ini to satisfaction within MDT.

3. Ensure the deployment image meets the requirements for Bitlocker.

4. Deploy the task sequence to your target computer(s).

5. Complete the task, check active directory.

A Caveat: This blog assumes Active Directory schema has been extended and already configured for storing Bitlocker key escrow and TPM information before continuing. (Technet)

Task Sequence Steps:

1. ***This step is done on the reference computer not the MDT server: Start, GPEDIT.MSC, and ensure the desired areas are enabled, and set to send encryption information to active directory.Those areas include:

  • Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption – double click Store Bitlocker information in Active Directory Domain Services, and click the ‘enabled’ bubble.
  • Next, click Fixed Data Drives, and within, open the ‘Choose how’ option, click the ‘enabled’ bubble. and ‘OK.’
  • Open Operating system drives, and open the ‘Choose how’ option, and click the ‘enabled’ bubble. and ‘OK.
  • Computer Configuration\Administrative Templates\Trusted Platform Module Services\ – Trusted Platform Module Services, click it, and open Turn on TPM backup to Active Directory Domain Services, click the ‘enabled’ bubble. and hit ‘OK.’

2. Launch the MDT 2010 deployment workbench. Open the task sequence dropdown, and select ‘New Task Sequence’.

3. MDT will launch a wizard, select Standard Client Task Sequence, or Custom Task Sequence whichever your specific deployment needs. Click through and provide the required information, and complete the wizard! See previous post.

4. When the task sequence is built, find it on the list, right click and select properties.

5. Click the task sequence tab, and find Enable Bitlocker (if doing a custom task). (Add\Disks\Enable Bitlocker) If doing a standard client task sequence, Enable Bitlocker will be about halfway down the task steps, under the custom tasks group. Click it and either copy/paste, or click the down arrow until it is the last task in the sequence. Important: Bitlocker must be enabled AFTER the computer has joined the domain in the task, or the Key will not escrow to AD.

6. Once the task sequence is built, begin checking and customizing the settings of MDT’s customsettings.ini file. This file allows you to customize and streamline the deployment wizard, to show or not show certain windows and provide information automatically.

7. Go to MDT Deployment share, right click, and go to properties. Click the rules tab and the default configured cs.ini will appear. Add or ensure the following is included in the cs.ini; (taken from the MDT help library.)

BDEInstall=TPM
BdeInstallSuppress=NO
BDeWaitForEncryption=False
BDEDriveSize=2000
BDEDriveLetter=S:
BDEKeyLocation=C:
SkipBitLocker=YES

8.  Deploy the task sequence with “Enable Bitlocker” to the target computer.

9. Check the active directory key escrow by finding the name of the computer, then clicking the Bitlocker recovery tab under the properties of the specific computer.

NOTES:

– With MDT and cs.ini, there’s a huge number of potential options, but I have mine configured as follows; With the custom settings.INI (see below) configured to allow Bitlocker to activate and run through its processes.

Full customsettings.ini configuration for this computer:
[Settings]

Priority=Default
Properties=MyCustomProperty
[Default]
BDEInstall=TPM
BdeInstallSuppress=NO
BDeWaitForEncryption=False
BDEDriveSize=2000
BDEDriveLetter=S:
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=NO
SkipAdminPassword=YES
AdminPassword=
SkipProductKey=YES
SkipBitLocker=Yes
SkipUserData=YES
SkipTimeZone=YES
TimeZoneName=Eastern Standard Time
SkipApplications=YES
SkipPackageDisplay=YES
SkipLocaleSelection=YES
KeyboardLocale=0x00000409
UserLocale=en-US
UILanguage=en-US

Troubleshooting:

-The LTI deployment process is unable to perform Sysprep operations on a target computer that is encrypted using Bitlocker.

  • In this case, you need to decrypt. If you are deploying from an image, you need to make sure the image is decrypted and Bitlocker turned off before sysprep and capture, when it is, you are free to try again!

 

 USEFUL LINKS:

Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module
 
Technet property reference for customsettings.ini
Advertisements

Uploading an Image to MDT 2010

Uploading a New Image

The Basic Process:

  1. If your MDT does not have one already, create an upload/download task sequence. You only need one for both tasks, (Sysprep and Capture)
  2. Upload the current image to a computer and set it up how you want.
  3. Run”\\mdt\desploymentShare\litetouch.vbs“.
  4. Select the task sequence, “Upload an Image”.
  5. Name your new image, and make it happen.
  6. Create a new task sequence for downloading the new image.
  7. Update the Deployment Share.

Helpful Details:

Creating a new Task Sequence for Upload

A NOTE BEFORE BEGINNING: FAMILIARIZE yourself with MDT, and its functionality, especially the area concerning task sequences. MDT has a built-in reference library which is broken down into index format, additionally, the library has built into it step by step instructions for most MDT related tasks. The library is also interconnected with different MDT tools for technical functionality and easy reference.

1. When starting the task sequence, you will be launching the MDT 2010 workbench on the MDT VM. When launched, you will click the task sequence option, once selected look to the right side of the screen and click ‘New Task Sequence’ a variety of other options exist, but ignore those for now.


2. Once clicked, MDT will initiate a wizard. Simply select a name, ID, and add any required notes for your Task, then click the drop down for preexisting templates, select the Sysprep and Capture Template. Make sure to select the correct Operating System, that is, the one which matches the Operating System you intend to capture.

3. The actual task sequence is run from the computer you are intending to capture.

4. **A common mistake at this point is to boot the reference computer from your LiteTouch image and start this task sequence. (Kevin Ledman Core team blog.) ** Don’t do it.

5. To run the task sequence, you connect to the deployment share and launch the LITETOUCH.WSF through manual interaction with the command prompt.

6.      RUN CMD – enter:

net use \\mdt\DeploymentShare$  /user:domain\username

7. Once the connection is established, execute LiteTouch.WSF

cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF

8. Once executed, MDT Wizard screens will initialize and appear, asking for prompts related to completing the task sequence.

9. Select the task sequence you created earlier in step 3.

10. Use your Sysprep and Capture option, and supply the location for storage and name of the image you are capturing.

11. Supply your login credentials. – Follow the Wizard Steps.

(Summary screen)

12. MDT will assume control, and the task sequence will run through its course here, assuming it can run uninterrupted. MDT will copy the reference computer, launch the sysprep and apply the LiteTouch Image. The computer will reboot during this phase.

13. The computer will reboot, and in this portion the size of the image, and speed of the computer govern the time required for the installation. Expect this step to take a substantial amount of time.

14. After the capture is completed, you can go back to MDT – and import the image, as a customized image file in MDT itself, for use in future task sequences.

15. To do this, click Operating Systems, in the index on the left side. Look to the right, and click ‘Import Operating System,’ this will initialize another wizard.

16. Select Custom image file and hit next – find your file. Most likely under

D:\DeploymentShare\Captures

17. Include the setup files for the OS which you are importing and complete the wizards. This is important, if you select the wrong OS – the system will not install on subsequent attempts.

18. Should be done! The file will be available for use with any new task sequence you need.

**All these techniques were taken from technet, or similar blogs and the content is property of their respective authors thanks for the information!

The most common error:

The task sequence has been suspended. LiteTouch has encountered and Environment Error (Boot into WinPE!) OK to Reboot

There are two primary scenarios where this can happen (although not limited to these). When booting into a LiteTouch WinPE image, we can encounter this error.

  • With “The task sequence has been suspended” dialog up don’t click OK, press F8 right then, and run diskpart right out of the PE instance. – so boot from standard Windows PE and open diskpart, select disk 0 and type “clean”. Following this, you will be able to boot the LiteTouch.wim install and start over again.
  • In the middle of a LiteTouch OS installation, and the user booted back into WinPE, when the new OS should be running. User should remove the WinPE Boot media or adjust the boot order.
  • We start a LiteTouch installation from scratch, *however* there was a previous LiteTouch Task Sequence running, and was not properly cleaned up. In that case remove the c:\minint\ and/or c:\_SMSTaskSequence directory and reboot back into WinPE.

Good references:

How to run a Sysprep and Capture Task Sequence From MDT 2010
 (For a generalized breakdown of the process.)
 
LiteTouch has encountered and Environment Error

 (For error correction, several are covered.)